SpamSlayer - should we DDOS spammers? 587
pointbeing writes "Just read this article about a company called Blue Security that essentially floods a spammer's website with requests to unsubscribe members - we're talking thousands of requests per day - the company's CEO says that fighting back by "inducing loss" against spammers is the only way to eventually stop them.
Although I hate spam as much as the next guy, is participating in a DDOS attack the way to bring spammers to their knees? If it's okay in this instance, it it okay to DDOS the next guy who does something we don't like?
"
Sounds like a lawsuit waiting to happen... (Score:5, Interesting)
Easy profit (Score:2, Interesting)
I remember when this debate started (Score:5, Interesting)
Should we bomb them into oblivion?
Or should we listen to the voice of reason and tolerate this behavior as a necessary evil, integral to the total freedom of the global Internet?
Sometimes I think we chose wrong.
Re:Sophistry at its finest... (Score:1, Interesting)
Ultimately, all this soft CANSPAM style BS needs to stop, and tougher measures need to be brought up to speed.
It's just communication (Score:1, Interesting)
Re:Sophistry at its finest... (Score:5, Interesting)
This has been going on for years (Score:2, Interesting)
All in all a pita for him. But the thing that will shut down a spammer... Charge Backs. Anyone who deals with online sales and credit cards knows that the quickest way to lose your online sales abaility is to have a few people return their goods and demand their money back. CC companies hate this, and if you get more then a few over a year, you can bet your account is going to get revoked. And getting an ISP is a hell of a lot easier than getting a CC carrier.
-Rick
Collateral Damage (Score:2, Interesting)
Fighting fire with fire usually results in damage to both sides (friendly fire anyone?)
Re:Two wrongs don't make a right (Score:2, Interesting)
Imagine if drug dealers were invisible, but drug buyers glowed in the dark.
It depends on the timing. (Score:5, Interesting)
It may be necessary, in the process of stopping the harm, to inflict harm on the attacker. Take care that your response isn't more harmful than that which had been threatened.
Failing to act in that circumstance is at best a reverse tragedy of the commons, in the general case laziness, and at worst is sheer cowardice.
After the fact it becomes mere revenge, which is a waste of time.
Re:Hate to break it to you, but (Score:3, Interesting)
Also I set up a catch all for my clients. They sign up at websites as @domain.com. Then if that domain starts sending spams we add as an alias to the spam@domain.com. This has helped a great deal as people's primary e-mail accounts remain hidden behind the catch all. And it require almost no work for the clients. They can send me a quick note or add it through their "control panel" blacklist...
What do other slashdotters do that are admin's for hosting companies or midsize-big companies? I would be interested
Wait a second (Score:5, Interesting)
Didn't...this already happen? I can't find an article offhand (Googling mostly gives back results about the RIAA website getting DOSd. I'm not sure of the outcome, but I do know that a few years ago, the RIAA sought amnesty from laws regarding DOS attacks, so that they could DOS "known pirates". I'm not sure if they were ever granted anything relating to this though..but judging by the fact that I can't find anything relating to the subject, I'd guess that nothing ever came of it.
Re:It depends on the timing. (Score:3, Interesting)
Unless it can be shown that he's in the habit of continuing to do it. Taking him out after an event is pre-emptive and self defense against the inevitable next event. It's the same reason that some women who kill their wife-beating husbands in their sleep are acquitted of murder.
Do-Not-Intrude Registry Service (Score:5, Interesting)
Blue Frog clients do not arbitrarily perform DDoS on spam sites. They complain about specific spam messages received in mailboxes belonging to our users. Our users exercise their right to complain about the spam they receive. They are merely responding to invitations to the spammer's website.
The Blue Frog enters the site and sends a complaint just as a user would do manually. It does not consume more resources from the site or from its ISP than a user could do manually. Many users have tried sending complaint to spammers at some point requesting to unsubscribe. We merely allow the users to do it in a safe and automated manner.
Our goal is to force spammers to comply with the Do-Not-Intrude Registry - to clean out our users' addresses from their mailing lists. When they do so, they will not receive even one single complaint from community members.
We perform thorough manual (human) validation on the spam messages we act upon, to prevent Joe Jobs and to make sure we minimize any possible impact on third parties.
Guy Rosen
Blue Security, Director of Operations
http://www.bluesecurity.com/ [bluesecurity.com]
Re:Sophistry at its finest... (Score:2, Interesting)
Comment removed (Score:3, Interesting)
Re:Sophistry at its finest... (Score:3, Interesting)
'or'test@yahoo.com'like'%
If the spammer uses sequel sewer or access rather than a real database, this will wipe their address list squeaky clean!
At which point, the spammer gets to sue you for business damages due to lost potential revenue? The best part is, they can scale the damages based on thier potential lost revenue (IE - the bigger the spammer, the more they can hold you liable for).
Re:Sophistry at its finest... (Score:3, Interesting)
Re:Sophistry at its finest... (Score:3, Interesting)
I'm not oversimplifying at all here. The difference between Blue Security's strategy and a Slashdotting is one of intent. Slashdotters don't intend to take down the site they are trying to view. Blue Security, however, has openly admitted that their strategy is designed to cripple spammers' web sites. While the actual content of Blue Security's traffic consists of perfectly valid unsubscribe requests, the fact remains that the primary objective is to bring spam websites to their knees through sheer volume...the precise definition of a DDOS attack.
I hate spam as much as the next guy, but vigilantism such as this will only make a bad situation worse.
Re:Sophistry at its finest... (Score:1, Interesting)
The best bet is to proxy & fill out their forms "several" times. That jackass last week who was getting his porn spam past all our filters (the guy who would send seven spams in a row inside of a minute) was vulnerable to this. If you fill out his order form with realistic junk you would even get access to his content page... because he didn't charge the card, just checked the lum... not that there was much content... not that I would know firsthand.
Now if you insist on reloading there are tools. On download.com you can get a freeware prog based on IE4 called Refresher. It can be set to auto-reload a website every seven seconds. Make sure you add a ?and a few hundred extra characters to the end of the URL to make his access log especially long and time consuming to download. But like I said it may only be useful if you have a t1 or better. There are tools on sourceforge to flood forms, or you can just use a key macro program and a spare computer to work his form overnite.
I advocate this because it works, not preaching from any moral position. The $59 home business spammers are knocked out immediately and permanently if only ONE guy does this, while the big box spammers implement all kinds of defense -- javascript form checks (just turn off javascript) etc etc that make their order page difficult and annoying and actually end up costing them legit orders... because they can't stand being spammed with bogus orders.
I see... (Score:3, Interesting)
Rather than taking an offensive stance, let design a system that runs in a distributed way (a network) that can detect a particular spam email as it is sent out to millions of addresses. Then, merely in response to that event, the nodes on the network coordinate to create an automated reply to unsubscribe from that piece of email.
Now, I am sure there are those among you that would argue that this is a DDoS type approach. And it is. Except I think you'd stand a very good chance in court (if it ever even made it that far) of arguing that is perfectly legal. Spamming is illegal, and they are required to provide a link to unsubscribe. In the case that they do not, some nodes on the network could sleuth down the appropriate address to send the request to and provide it to other nodes. Thus, the network would never initiate an attack, it would merely recognize and respond (using the channels provided for in law) to the emails that are sent out. Sure, the end effect would be a DDoS, but so is a Slashdotting - and that isn't illegal.
I haven't done my homework on the wording of the law that makes a DDoS illegal (besides, in whose jurisdiction is it illegal?), but there are so many DDoS-like events on the web that the law cannot make them ALL illegal, and if Slashdotting is OK, I'm sure the scheme outlined above would be OK, too.
Re:Sophistry at its finest... (Score:2, Interesting)
Fight Back. (Score:2, Interesting)
Now sending floods to unsubcribe lists, is not the way to be doing it however.
The attacks should be directed at the injecting IP.
In the example below, I direct a ping flood to: 219.86.51.137
Further, you could parse the body for the web sites actually hosting the spam.
As well, you can have scripts automatically send notifications to blacklisters and abuse departments of the upstream providers.
net.tw ---> http://www.pigo.cn/index.htm [www.pigo.cn] gets abuse complaint.
(Now if I could only write in chinese)
Further, you could hack the injecting box:
Starting nmap 3.55 ( http://www.insecure.org/nmap/ [insecure.org] ) at 2005-07-18 10:40 MDT
Interesting ports on 219-86-51-137.dynamic.tfn.net.tw (219.86.51.137):
(The 1658 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
135/tcp filtered msrpc
1025/tcp open NFS-or-IIS
Looks like some juicy ports.
Example Spammer Header:
>From ahzu6.j93m6@yahoo.com Mon Jul 18 10:22:54 2005
Return-Path:
Received: from 142.127.184.144 (219-86-51-137.dynamic.tfn.net.tw [219.86.51.137])
by ns.qualico.ca (8.9.3/8.8.7) with ESMTP id KAA23411;
Mon, 18 Jul 2005 10:22:54 -0600
Message-Id:
From: =?Big5?B?dzahuTahuTYyMzo1MjoyMQ==?=
Subject: =?Big5?B?GwgYsdAUsXoVvHYCpPkDsMURv+gIIRMhEggI?=
Content-Type: text/html;
charset="BIG-5"
Sender: "w66623:52:21"
Reply-To: ahzu6.j93m6@yahoo.com
Date: Mon, 18 Jul 2005 23:55:06 +0800
X-MimeOLE: Produced By Mircosoft MimeOLE V6.00.2600.0000
Re:What shall we do? (Score:2, Interesting)
So, what is left. Fighting back. Having a bunch of people loading the web site promoted by the spam, which is not so bad, as if the email was spent, a response is to be expected. Or perhaps every person calling the location the spam is promoting. But that would be so unfair, the republicans with high school mentalities protest. The firm may not have known that spam was going to be used. They are just trying to run an honest operation, and the email is just advertising. If you don't like it, ignore it. There is no reason to make trouble for the poor employees at the front desk, who will just lose their jobs if the firm goes down. Think of the children.
So, we are left as sheep, hoping the shepherd will save us. But we have learned first the sheep, then the shepherd. Even so it would be so unfair to do anything that might infringe on the inalienable and self evident right to make money using any means necessary.
Re:Sophistry at its finest... (Score:2, Interesting)
Re:Sounds like a lawsuit waiting to happen... (Score:5, Interesting)
Read up on the history of the Church[spit] of Scientology's lawsuits and of the lawsuits that were filed against MAPS in 2000 by spammers and get back with us.
One thing LRH got right: lawsuits under the US system are not all about who is right or about wins in court. They are often about which side can inflict the most damage on its opponent by careful strategic pursuit of the lawsuit.
Bad idea. (Score:3, Interesting)
What *I* hate about spam is the fact that there's so much of it that it accounts for a good measurable percentage of the total traffic on the net. Think about it. Spam is usually small messages, sent to thousands of recipients all over the world. So every bit of spam branches out from the spammers local mail relay and induces a small amount of traffic to a great many parts of the network.
There are lots of spammers. They send lots of spam to lots and lots of people. That makes up a huge collection of packets that have to be routed all over the globe, all day long. I heard a figure somewhere saying it might be as high as 60% of total traffic.
My ping times to various game servers are seldom better than 70ms, and quite often over 100ms. I'm willing to bet that if all that crap weren't being flushed all over the net, the overall latency would drop by a good 20ms.
(Don't get me wrong, I'd rather have a nice T3 and be high enough up to not have the extra latency to begin with... but... I can only hold my breath so long.)
Using DDoS attacks against them would just induce even more garbage onto the network, and make it even slower.
The "right" way to deal with it is to (a) change the SMTP protocol so it requires some form of identification (perhaps a public key signature) -- if I don't recognize the caller-id on my phone, it goes to voicemail, why should email be different?, (b) go back to batch processing of email -- why do you NEED email to get there in 30 seconds, use an IM for real-time. Let mail servers send mail every 4 hours so at least that end can be more efficient. Use compression while you're at it. And (c) make spamming a crime, punishable by firebombing of the offenders house *grin*. If (a) happens, it should be possible to locate the spammer's property and eliminate it. That would remove the incentive for spamming, since all that "hard-earned" money would be lost.
or... (Score:2, Interesting)
invalid on its face (Score:3, Interesting)
You're dealing with a system that really doesn't give a shit what the law is in any one country, or any one group of countries. And since only the insane among us want a world government, that leaves with the question of what to do when law enforcement is essentially ineffective. Which it has been, and will be, no matter what laws the U.S. decides to pass or what the penalties are. U.S. law, after all, stops at U.S. borders.
So long as there are countries that'll host spammers there'll be mountains of spam to contend with.
If the law can't control the problem, what does that leave you? Seems to me that vigilantism doesn't sound so bad when the alternative is "bend over and grab your ankles".
Max
Its a great idea! (Score:3, Interesting)
I know most of you are too young to remember the old days of the Internet but before DDOSing was illegal this was the method to stop spammers. That and brute force attacks aginst their servers. If you where a spammer then you were an open target.
This worked too. Spam increased only after the laws pretaining to network attacks came into effect.
I I guess that if someone breaks into your house watches your TV and eats all your food this is ok as long as they don't carry anything out. Still your left with the electric bill for running the TV and now you also have another mouth to feed. Guess your made of money. Well I am not and if you break in here you will be dealt with accordly and I will call the Cops only to come and carry away your corpse.
So if you stick your hand in my pocket to take my money and I cut off your hand am I the bad guy for cutting you? If you hadn't put your hand in my pocket in the first place I would have never hurt you. This is the same thing spammers stick their hands in my pocket everytime they send their shit. So if I cut off their hand by DDOSing them am I wrong? Personally I don't think so.
Remember THEY contacted me first.
The laws are no good. Ever called the FTC about this? Even being a ISP they will not presue your case. Their only answer is send us an email. Even when you have a mountian of evidence against them. Laws aren;t worth the paper it is written on if they are not enforced and the CAN-SPAM Act is just an illusion to appear that the goverment is doing something about it.
OK guys you can flame me now....
out of band attacks (Score:3, Interesting)
However I am concerned about starting a large scale netwar with the spammers, effectively shutting down the internet. This is essentially what happened for me locally during the whole makelovenotspam fiasco. The spammers faught back with everything they had. It was not pretty. Also, as a rabid e-pirate complete with parrot and eye patch, I am concerned that the war could be an excuse for RIAA/MPAA sponsored attacks as well. The fact is that the internet is a very fragile system which can be easily broken. Some people are arguing that maybe it should be until our governments are willing to pass enforceable spam laws with actual teeth. But I'm not so sure I'd be willing to go that far.
I think a better long term system would be to get large groups of people to join an anti-spam organization which would accept donations and membership dues or whatever to fight against companies that advertise with spam in the real world. Something like a shady, vigilante, version of the EFF. The idea would be to hurt and put out of business companies that advertise with spam as much as possible. Moebius faxes, war dialing of 800 numbers, junk mail attacks, publishing of personal contact information for everyone in management positions including cellphone numbers, email and snail mail addresses. Maybe even opportunistic vandalism in a car-keying, sugar in the gas tank, potato in the tailpipe, spray-painting "spam sucks" onto windshields, kind of way. Presumably a professional organization could come up with even more nuisance ideas. Maybe a freesite could keep track of the exploits.
Problem is the ISPs (Score:2, Interesting)
DDOS attacking is not the answer; taking their network connection is!
Just turn your back on it (Score:3, Interesting)
It's a lot like weather, if you just live with it it's not that bad. I used to get all freaked out about those profiteering on the internet, because I was around a little before it really got commercial (when Mosaic came out and playboy.com started
It's symptomatic of our society--we're a marketing based economy. Almost everyone already has most of what they NEED here in America (food, shelter, medicine, etc.) therefore it's necessary to TEMPT us with things we just WANT and the essence of marketing is WANT. Need doesn't require extensive marketing to match up potential customers, they come looking for you.
Turn your back on spam and all marketing, don't buy into it if you want it to go away. But you should know just by looking at your friends and relatives that it's not going to go away. Everyone buys something because of a brand name or something like that. Nike shoes, Pepsi Cola, pft. We are all part of the problem so we can't really complain.
However, what I didn't like especially about your post was the comment about getting "lawmakers" involved. Ahem, what you are saying is taking the greatest invention furthering freedom of expression and thought and speech since the printing press and REGULATING it because you don't want to delete a few emails?! The price you pay for freedom is high isn't. You poor thing, having to suffer for like 2 or 3 minutes a day sorting through your email.
WE CAN'T WIN THIS WAR. Just like we can't "WIN" the "War on Fear" as I like to call the current stance of the U.S. Law Enforcement/Miltary/Political triumverate. This isn't a war on "Spam", this is a war on "Annoyance." You might as well start writing letters to your congressperson so maybe they can make it illegal for people to talk on a cell phone in a public place or, how about this, have a dog that barks or a rice burner with a loud stereo.
That's all annoying stuff but guess what, WE PUT UP WITH IT. We're ADULTS and it's just a part of life. If you let every little nitpicking thing get to you then you will die a nervous wreck!
Spam, as I see it, is just an annoyance.
What I DON'T like is Spyware. THAT'S a legitimate thing to declare war on. It invades your computer, sends your private information to others, makes a computer unusable, sends your web browser to it's own pages. That's an INVASION.
Annoyances, well.. I can live with those.
Please don't get the law involved with annoyances. Or next thing you know, they'll take your dog away. Then your computer, so you can't annoy me with your silly wars.
Re:That's exactly what they want! (Score:3, Interesting)
force them to invest in bigger servers, new software and more license, and even more bandwidth, then stop ordering and watch them go bankrupt.
I wonder who will go broke first?